fork bombz

The first time I saw this series of characters (was about ~= 10 years ago)  .. They looked interesting and not very harmful. So I ran the code .. and a few seconds later my system froze.  Try this (in bash) :

                                          :(){ :|:& };:

Its basically a function recursively calling itself  .. The way to protect the system against this us to set ulimit -u ( number of user processes)  to some finite value ..Its fun to play with them though .. 

warning : you may have to hard reboot your system .. ( no biggie for people accustomed to windoze )

                              

                             

Firestarter log parser scriptlet

Some time ago, I  noticed constant incoming traffic on one of my boxes . Firestarter was running on it and I thought I'd give the "events log" a look . There were like 1000+ blocked connections many of which looked like scans .. and many were .. The most scanned port was ms-sql ( not surprised at all ) . So I whipped up a quick scriptlet to get the top 20 IP's and "whois" them  to know where they were coming from .. 

The results :

---------------- 124 scans from 91.198.174.234 ------------------------
descr:          Wikimedia's Amsterdam cluster (knams)
descr:          Wikimedia Foundation, Inc.
country:        NL
address:        Wikimedia Foundation, Inc.
address:        USA
address:        US
address:        San Francisco, CA 94105 USA
address:        San Francisco
address:        CA 94105 San Francisco
address:        CA 94105
address:        3rd Floor
address:        3rd floor
address:        149 New Montgomery Street
address:        149 New Montgomery, 3rd Floor
---------------------------------------------------------------
---------------- 109 scans from 91.198.174.233 ------------------------
descr:          Wikimedia's Amsterdam cluster (knams)
descr:          Wikimedia Foundation, Inc.
country:        NL
address:        Wikimedia Foundation, Inc.
address:        USA
address:        US
address:        San Francisco, CA 94105 USA
address:        San Francisco
address:        CA 94105 San Francisco
address:        CA 94105
address:        3rd Floor
address:        3rd floor
address:        149 New Montgomery Street
address:        149 New Montgomery, 3rd Floor
------------------------------------- 37 scans from 81.0.237.38 ------------------------
descr:          Gransy s.r.o.
descr:          Casablanca INT
country:        CZ
address:        Vinohradska 184, Prague 3 - 130 52
address:        Czech republic
address:        Casablanca INT
---------------------------------------------------------------
---------------- 18 scans from 58.221.60.159 ------------------------
descr:          China Telecom
descr:          CHINANET jiangsu province network
descr:          Beijing 100088
descr:          A12,Xin-Jie-Kou-Wai Street
country:        CN
address:        No.31 ,jingrong street,beijing
address:        260 Zhongyang Road,Nanjing 210037
address:        100032
------------------------------------------
---------------- 10 scans from 42.96.185.184 ------------------------
descr:          Chaoyang District,Beijing
descr:          Alibaba (Beijing) Technology Co., Ltd.
descr:          9F,Tower A Winterless center,NO.1 West Da Wang Lu,
country:        CN
Comment:        using this IP address range and is not able to investigate
Comment:        This IP address range is not registered in the ARIN database.
Comment:        spam or abuse reports relating to these addresses. For more
address:        No.99 HuaXing Rd. Hangzhou,310099
---------------------------------------------------------------
---------------- 8 scans from 87.93.45.81 ------------------------
descr:          DNA Oy
descr:          DNA Finland
country:        FI
address:        PL 41
address:        Finland
address:        DNA Oy
address:        01741 Vantaa
---------------------------------------------------------------

Sciptlet :
------------------------------------------------------------------------
 #!/bin/bash

# scriptlet to know where the scans are coming from

echo "Enter the firestarter events file"
read $events

tmp="event_tmp"
tmp_who="tmp_who"


egrep -o -h   "Source:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"   $events  \
 | awk -F ":" '{ print $2 }' | sort | uniq -c | sort -nr | head -10  > $tmp


while read line
do
        count=`echo $line | awk '{ print $1 }'`
        ip=`echo $line | awk '{ print $2 }'`
        whois $ip > $tmp_who
        echo "---------------- $count scans from $ip ------------------------" 
              cat $tmp_who | grep  'country\|address\|descr' | sort -r | uniq
        echo "---------------------------------------------------------------"
        sleep 1
done < $tmp

rm $tmp $tmp_who
 -------------------------------------------------------------------------

Conclusions :

• Miscro$oft products are most searched by worms n scanners
• Firestarter is a hack . n ot for professional use
• A lot of folks/worms from china scan everyone else all the freakin time!!

:)